BT modems have NSA back-door, claim researchers

BT has been accused of hiding a government back-door in modems provided to broadband customers by a team of researchers who claim the company is not alone in providing such access to supposedly-private home networks.

Former contractor to the US National Security Agency (NSA) Edward Snowden kicked up a storm when he absconded with what is claimed to be millions of classified documents pertaining to what the military calls 'signals intelligence' and what the general public refer to as 'spying.' In selected documents leaked via the press, the US and other world governments - including our own - were accused of a system of complete data collection without oversight and without obeying legal restrictions placed upon them. From placing back-door access into closed-source cryptography products to rumours that Windows itself has NSA back-door code, to say 2013 has been a tough time for technology companies and government spies is perhaps under-egging the pudding.

Now, a team of researchers calling themselves The Adversaries have published a document (PDF warning) dubbed 'Full Disclosure: The Internet Dark Age' which accuses internet service providers (ISPs) in general and BT specifically of placing government back-doors into the modems provided to customers as part of their broadband packages.

The document starts by quoting a piece by noted cryptographer Bruce Schneier written for the Guardian, which states in part: 'The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on.'

The pseudonymous team then goes on to claim that they have the 'first independent technical verifiable proof that Bruce Schneier's statements are indeed correct.' Starting with a précis on the traffic capturing system believed to be used by the US NSA and the UK Government Communications Headquarters (GCHQ), the team make a bold claim: 'BT Broadband equipment contain [sic] NSA/GCHQ back doors.'

Gaining local access to the BT Broadband modem provided to customers using a USB serial cable wired directly to the motherboard, the team claim to have discovered a hidden virtual local area network run by the modem and connecting it directly to the NSA and GCHQ's data capture network. Not visible using any LAN-side package capture tools, nor from the connected router's administrative page, the network presents all ports to the VLAN without restriction - providing the ability to, for example, insert false entries in the DNS table as part of a man-in-the-middle attack, to access computers on the LAN side of the modem, or even to mirror all outgoing and incoming internet traffic across the VLAN for capture - a mode it is claimed to use by default.

The team further claims to have evidence that this hidden network is owned by the US Department of Defence (DoD) yet operated within the UK. 'This clearly demonstrates that the UK Government, US Government, US Military and BT are co-operating together to secretly wiretap all Internet users in their own homes,' the document warns before adding that 'if you cannot confirm otherwise, you must assume that all ISPs in the UK by policy have the same techniques deployed.'

BT has typically provided its high-end Infinity broadband product as a two-box solution, comprised of a VDSL modem and a router which connects via Ethernet cable. The document does not make clear which device is affected by the alleged back-door, but it would appear from comments on page 47 regarding physical barriers to analysis to be the separate modem - a device BT has stopped providing since the launch of the BT Home Hub 5 modem/router, which includes an integrated dual-mode ADSL/VDSL modem.

The provision of a locked-down, pre-configured modem/router for customers is a common trait of ISPs ostensibly as a means of simplifying support. The Adversaries claim a more sinister motive, pointing out that the locked-down nature of such devices makes it extremely difficult to validate their configuration. It is even claimed that while the back-door VLAN is enabled by default it is disabled selectively if the NSA or GCHQ believes a recipient may have the knowledge required to discover the hidden network.

These knowledgeable individuals are, the group claims, identified by requests to use a third-party router or modem, details of the open-source packages running on the BT-provided router, or a desire to install third-party firmware on the router. 'BT goes to extreme lengths to prevent anyone from changing the firmware,' the document claims. 'Those that come close are first subjected to physical and psychological barriers[,] and the few that overcome that are subjected to a separate NSA/GCHQ targeted social attack designed specifically to derail any engineering progress made.'

The group goes on to suggest potential ways to limit the impact of the alleged back-door, from installing a secondary open-source firewall downstream from the locked-down ISP-provided modem to protect internal networks, tunnelling of traffic out of the network through a known-good host, and one clear message: 'never trust closed source routers.'

Prior to the Snowden leaks, such claims would have seemed outlandishly paranoid - but there is mounting evidence that this is exactly that kind of caper the NSA and its partners would attempt. Technical evidence is provided towards the end of the document seemingly validating the group's claims, too, or at the very least revealing a strange kind of misconfiguration which appears as a back-door, hidden network - or, potentially, an entirely fictitious and hand-assembled collection of supposed console logs designed to give the impression of veracity.

Many security researchers are, rightly, suspicious of the team's claims. One particularly dismissive posting to the Errata Security blog explains how the use of network space seemingly assigned to the US Department of Defence might be nothing more than a mistake, with BT ignoring internet standards to co-opt the IP range for internal use as a result of its non-routable nature. That's a conclusion with which rival provider AAISP agrees, dismissing the paper with the conclusion that it 'presents no evidence that BT modems have secret spy back doors.'

In what appears to be purely coincidental timing, Bruce Schneier has left his post of Security Futurologist at BT after seven years. According to an email sent to Ars Technica, the move has nothing to do with the supposed back-door or any potential NSA/GCHQ input into BT's affairs: 'No, they weren't happy with me, but they knew that I am an independent thinker and they didn't try to muzzle me in any way,' Schneier wrote of his former employers. 'It's just time. I spent seven years at BT and seven years at Counterpane Internet Security, Inc before BT bought us. It's past time for something new.'

For BT, and other ISPs, there are certainly some questions to be answered. At the time of writing, BT had not responded to a request for comment on the document.